From the Listening Post… 12/07/2010 (a.m.)

In my view, cyber war requires what war theorists call a “kinetic” aspect to be present. Put another way, an attack in cyberspace needs to have impressive kinetic impact of some sort out in the real world to be considered an act of war. So, if I can infect your command and control system with malware that gives me complete control, and then cause your predator drones to shoot at the wrong targets (a kinetic impact), that would count as an act of cyber war.

An over concentration on offense can be very dangerous. The U.S. is supposedly very good at offense, but from a defense perspective it’s a completely different story. As usual, what I call “the NASCAR effect” applies — it is much more entertaining and shiny to talk about offense and its impacts than to focus on defense and building things right. A balanced approach to cyber war describes offense, defense, and exposure in equal measures.

Very real cyber war consequences sound outlandish and unrealistic…like a badly-written Hollywood movie. Those of us who work on computer security all day know that the consequences that Clarke describes are not only realistic — in many cases they may even be understated. The challenge is to convince people that this is an important issue to address without seeming like a lunatic.

We need to determine a sober and clear way to emphasize exposure to cyber war attack. I think some of the stories currently floating around are too sensational and thus seem to exaggerate possible problems even though, when you think through them carefully, they may well explain very real and very important exposures. This puts us in the tricky position of appearing to over-hype what remains undersold.

You won’t be surprised to hear me say that they only way we can lessen both the potential impact and the very possibility of cyber war is to build more secure systems. This starts with the software we all rely on to work. What’s the root of smart grid insecurity? Software. Malicious code? Software vulnerability. For what it’s worth, Clarke resonates with this view, and makes the point of saying so on page 86 where he says, “Of the three things that make cyber war possible, the most important may be the flaws in software and hardware.”

The problem with these kinds of stories is that they have somehow worked their way to the halls of policymakers who repeat them without critical analysis. For every careful Dan Geer there are ten shrieking cyber security talking heads busy stirring the pot saying things like, “We may call it espionage, but it’s really warfare. They’re planting logic bombs,” while offering no actual evidence of such.

the cyber war discussion is an issue that almost exclusively emanates from US policy makers and media outlets and it is largely tailored for domestic US consumption.

cyber security is not only and solely a military problem but rather a complex network of intertwined economic, cultural, diplomatic and social issues. Ignoring myriad dimensions by over-focusing on military aspects alone looks to be a losing strategy.

cyber security is global and international in nature.

considering cyber security an exclusively military affair thus setting US policy on the matter on collision course with reality is an unlikely way to achieve success.

Mike McConnell

Mike Hayden

Richard Clarke

At the very least, all three men understand how much dependence we have on systems riddled with security defects. Unfortunately, by and large, they posit mirage solutions based on defending networks and building better cyber weapons instead of proposing that we build better systems in the first place.

For years in computer security, we have been attempting to protect the broken stuff from the bad people by placing a barrier between the bad people and the broken stuff. We have failed. Instead, we need to fix the broken stuff so that attacking it successfully takes far more resources and skill than is currently the case. Discerning new ways to exploit the broken stuff or hunt and kill the bad people more rapidly will not alleviate our dependence on vulnerable cyber systems.

Perhaps the most concerning problem from a policy perspective is the default ceding of the entire cyber domain to the Department of Defense.

Meanwhile, civilian networks which account for at least 90% of our cyber exposure are left swinging in the wind. The problem is that even Cyber Command is focused on reactive computer security — protecting networks, seeking out bad guys and malware, and attempting to protect our broken stuff more effectively than the enemy protects theirs. Nobody in the government seems to be devoting much time and effort to carrying out an agenda of security engineering, software security, and building things properly. Meanwhile we all suffer the consequences of broken, vulnerable systems. We are exposed.

A good offense is NOT a good defense. Instead, a good defense is the ONLY defense. Throwing a better, more accurate rock in a glass house is still throwing a rock. Our systems are so permeated with problems that even an untrained child can exploit them.

Cyber crime and cyber espionage are more important than cyber war. The (very) bad news is that shiny new cyber weaponry will be repurposed for crime and spycraft — reason enough to take pause before charging ahead with offense. The good news is that fixing the broken stuff will help simultaneously combat crime, war, and espionage.

No security is perfect and problems will happen.

Cyber security policy must be built on the assumption that risk cannot be completely avoided, meaning that systems must continue to function even in sub-optimal conditions.

There is an active role for government in all this, not just regulation, but monitoring and enforcing due process and providing the right incentives and disincentives. In the end, somebody must pay for broken security and somebody must reward good security (only then will things start to improve). Determining who is who, which is which, and how best to apply these concepts is a matter for government.